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[57] 



ABSTRACT 



A method and system for controlling computer security The 
system is a centralized, computer-network security manage- 
ment tool capable of handling many different kinds of 
equipment in a standardized format despite differences in the 
computer security features among the diverse range of 
computer equipment in the computer network. The inven- 
tion uses a layered software architecture, including a tech- 
nology specific layer and a technology independent layer. 
The technology specific layer serves to extract and maintain 
secmity data on target platforms and for converting data to 
and from a common data model used by the technology 
independent layer. The technology independent layer 
handles the main functionality of the system such as locating 
and removing certain present and former employees from 
computer access lists, auditing system user data, monitoring 
security events (e.g. failed login attempts), automatically 
initiating corrective action, interfacing with the system 
users, reporting, querying and storing of collected data. 

34 Claims, 36 Drawing Sheets 
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COMPUTER NETWORK SECURITY 
MANAGEMENT SYSTEM 

BACKGROUND OF THE INVENTION 

The present invention is generally directed to a computer ^ 
security system and, more particularly, to a centralized, 
computer-network security management system capable of 
handling many different kinds of equipment in a standard- 
ized format despite differences in the computer security 
features among the diverse range of computer equipment in 
the computer network. 

With the current-day increase in dependence on informa- 
tion systems for doing business the risk of misuse or 
sabotage of those systems has grown to be very real. Making 
the problem more real are the daily news stories of hackers 
breaking into computers, and computers being infected with 
viruses. Adding to the risk is the rise in the number of 
mergers and acquisitions, which has resulted in large num- 
bers of both new system users and potentially disgruntled 
displaced workers. 

To reduce the risk, various technical solutions have been 
developed, for example the requirement for a password to be 
entered before logging on to a system. In addition, non- 
technical solutions have been developed, for example in the 25 
form of company policies that mandate the disablement of 
logon accounts not used for 90 days or more. 

These solutions have helped alleviate the problems but 
have also opened up new ones. The technical solutions have 
brought with them the need for security administration, and 30 
with that has sometimes come incomplete or incompetent 
administration. There is a need for constant auditing of 
security systems to ensure compliance. The large number of 
users and systems makes manual auditing impractical. 
Larger companies tend to have the additional problem 35 
arising from their use of large computer networks containing 
many different kinds of equipment, each with its own 
version of security handling features and protocols. These 
incompatible protocols and the added problem of rapidly 
changing technical environments on world wide networks 40 
have aggravated and impeded the search for a satisfactory 
solution. 

At present, many large companies are saddled with large, 
complicated information security schemes that contain loop- 
holes and which cannot be supervised and audited effec- 
tively. This has increased their vulnerability to unauthorized 
use of their confidential information systems and databases 
for industrial espionage or even to sabotage. 

SUMMARY OF THE INVENTION 50 

Accordingly, it is an object of the present invention to 
provide an improved security management system for com- 
puter networks. 

It is a further object of the invention to provide a computer 
network security management system which is easier to 
implement and use. 

Yet another object of the invention is to provide a com- 
puter network security management system which provides 
a high measure of coiifldence that the security of a computer 
network will not be breached. 

A further object of the invention is to provide a computer 
network security management system having a standardized 
protocol for handling security issues across a large range of 
different pieces of computer equipment. 65 

The foregoing and other objects of the invention are 
realized in accordance with the present invention by a 



2 

system which collects information from all repositories of 
security data on a computer network, standardizes it, stores 
the data in a central database and enables automatic and 
manual correction of erroneous data. 

Components of the invention report on exceptions to, i.e. 
deviations from, security policies, and an automatic mecha- 
nism dynamically fixes compliance problems by adminis- 
tering the native security platforms. An analysis component 
reviews incoming data, looking for system break-in attempts 
and irregular or suspicious changes to vital security com- 
ponents. Another analysis component enables grouping of 
data by person or organization, across security platform 
boundaries. A manual maintenance component allows sys- 
tem maintenance to be done through a common user inter- 
face. 

The invention uses a layered software architecture, 
enabling a separation of basic functions from the complica- 
tions of differing technologies, and facilitating automated 
handling of many operations. The architecture can be 
viewed at a very high level as consisting of two layers: 
technology specific and technology independent. The tech- 
nology specific layer consists of many groups of software 
modules, each group addressing the complexities of a single 
technology (e.g., NetWare^" 3.1, Windows NT, AIX. 
Sybase, etc.). The primary functions of the technology 
specific layer arc extracting and maintaining security data on 
the target platforms, and converting the data to and firom the 
common data model used by the technology independent 
layer. 

The technology independent layer handles the main func- 
tionality of the system: locating terminating employees, 
auditing system and user data, monitoring security events 
(e.g. failed login attempts), automatically initiating correc- 
tive action, interfacing with the system users, reporting, 
querying and storing of collected data. 

The invention is unique in many aspects including the 
following. It is a self-correcting data security audit system. 
In contrast, many existing approaches rely on manual cor- 
rection after policy discrepancies are detected. The inven- 
tion automatically takes action, changing system parameters 
(e.g., minimum password length made consistent with 
policy) or user parameters (e.g., forcing a password change 
at the next login if time limit is exceeded) as necessary. 

The invention is also able to capture security data fi-om all 
of the different platforms, consolidate it and operate on it in 
a common format. It is also unique in that it is able to 
identify the persons who own the various accounts. Existing 
products collect data only for a single environment or 
machine, leaving the security ofiSccrs to manually consoli- 
date across platforms. 

Analyzing multi-platform data for security break-in 
attempts is another unique aspect. Sophisticated attacks on 
the information systems can be detected with this feature. 
The invention also provides the ability to manage security 
with a single user interface while not giving up the ability to 
simultaneously use platform specific tools. Prior to the 
invention, a decision to use centralized security management 
forced abandonment of platform specific tools. This is 
because centralized management tools use their own 
accounts data base which is then replicated to the actual 
platforms. Changes not made through the centralized tool 
are "lost" as far as the centralized tool is concerned. The 
invention avoids this limitation by routinely collecting data 
from the platforms, so it is always aware of changes. 

Other features and advantages of the present invention 
will become apparent from the following description of the 
invention which refers to the accompanying drawings. 
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BRIEF DESCRIPTION OF THE DRAWINGS of hardware and software subsystems. With reference to 

FIG. 2, a company -wide computer network 52 consists of 

FIG. 1 is a block diagram of a prior art computer security different hardware/software subsystems, 12, 14, 16. 18 and 

management system. 20 each of which has a specific security domain 22-30 (FIG. 

FIG. 2 is a conceptual block diagram of the system layout 5 1) are all coupled to an abstraction facility 54 which serves 

of a centralized computer network security management to reformat and standardize security related data packets. 

system in accordance with the present invention. Thereby, the abstraction facility 54 is able to provide over 

r^T^ • i_i 1 J- A a u w ^^r«».f;«rr #Ko line 55 security data pertaining to all of the subsystems 

FIG. 3fl IS a block diagram and flow-chart delineating the !r^*« ^ .i. r t. • u ji j u ♦u ™ ♦ 1 

' r a J ■ A Ptk«o,«.to f%^n 12-20 for the purpose of being handled by the central 

mformation flow and major functions of the system of FIG. ^ in • . Jl^r.i ,r,^ c*./^,^ r«.r„,^r 

J secunty processor 60 m a consistent and standard manner. 

This enables the security administration or personnel 62 

FIG. 36 is a continuation of FIG. 3fl. ^j^-^^j^ ^ coupled to the central security processor 60 to 

RGS. 4^7-4/ are flow charts depicting major functions that handle and deal with security issues in a direct, globaUy 

are carried out by various components of the invention. applicable and standardized format. Indeed, the central 

FIGS. Sa-Sd are sample computer screens generated in processor 60 is programmed to act on many security related 
the course of the collection agent component of the present decisions automatically. Either way, when a decision con- 
invention performing its tasks. cerning security matters is made, the processor responds by 

HGS 6fl-6e are flow charts which depict interactions taking several actions, including providing relevant infor- 

between various components of the system of the present mation and commands to a compliance facility 58 which 

invention 20 P'^°"^^ information and causes the central security 

* „ 1 A Au.,*u^ processor 60 to issue the appropriate commands to the local 

reSinvemior ^ commands translator 56. 

present mven ion. function of the local commands translator 56 is to 

FIGS. Ha-8h show further computer operator screens ^^^^^^^ ^^^^^^ security-related instructions to group-wise 

generated in the course of the operation of the present ^r device-specific instructions which can be understood by 

invention. ^j^^ individual subsystems 12-20 of the computer network 

FIGS. 9a-96 are further flow charts iUustrating the opera- 52. The compliance facility 58 also interfaces with an 

tion of the present invention. alerting facility agent 64 that is able to contact key personnel 

FIG. 10 shows an information entry block form used to or other computer systems, e.g. an external system 68, 

add an account in the system of the present invention. regarding 'security breaches. Appropriate hard copy reports 

FIGS, llfl-llc show portions of computer source code and the like can be provided through a reports generator 66. 

used to implement certain functions performed by the Reference is now made to FIGS. 3fl and 3b which explain 

present invention. in greater detail the system configuration and overall sofl- 

„ „ ware flow of the system of the present invention. The 

DETAILED DESCRIPTION OF TOE technology specific layer consists of many groups of secu- 

INVENnON related software modules which are depicted in FIG. 3a 

With reference to FIG. 1, typical large business or gov- as security domains 70a, 706, 70c .. . 70n. The security 

eramental organizations have complex computer systems domains 70a-70/i represent workstations, servers, LANs, 

comprising many different computer hardware units or net- Windows NT and other such computer software or hardware 

works that operate under diverse and disparate software 40 that are of interest to security oflGcers and auditors. The 

products which are intrinsicaUy incompatible with one definition of a security domain depends on the security 

another. In a typical system, one group of computers may architecture of the platfonn. For example, Windows NT 

operate under a Netware software system 12, another group normally manages security at a domain level, managing a 

14 may use the Unix operating system 14, a third Windows group of machines, while NetWare'^" manages it on a 

NT 16, or AIX 18 or constimte a database operating under 45 per-machine basis. Each security domain houses its own 

the Sybase 20 database software system. Each of these store of security information, i.e. parameter settings, user 

systems has a different and unique security management Ids, passwords, etc. 

approach and protocol, as represented by the security system The security domains 70a-70rt communicate with coUec- 

software blocks 22, 24, 26, 28, 30 which correspond to the tion agents 72a, 726, 72c .. . 72/i, re^ectively. These 

software systems 12, 14, 16, 18, 20, respectively. 50 collection agents 72a-72n, a part of security administration 

To the extent that a system administrator wishes to system 50, represent software facilities written specifically 
exercise supervision and control over security issues relating for the corresponding operating system or system software 
to such systems, it is necessary for the various groups of components, for example the workstation server, LAN or 
computers to be connected to a central security administra- NetWare™ software facility comprising the security 
tion system 10 via specifically designated lines 32, 34, 36, 55 domains 70a-70/i. Therefore, there are many different col- 
38 and 40. In the prior art, the security administration system lection agents, each of which is associated with a specific 
10 may comprise no more than individual computer terminal security domain type. The present invention has been 
(s) (not shown) which allow security personnel to individu- reduced to practice with collection agents specific to Net- 
ally query and maintain security sUndards at the different ware™ 3.1, NetWare™ 4.0, Windows NT, two different 
computer systems on a system -by-system basis. The 60 remote access servers, RACE, ACF2, Sybase, Oracle, AS 
approach of the prior art is cumbersome and not particularly 400, VAX/VMS, Tandem, Lotus Notes, four different UNIX 
reliable. operating systems and an Internet firewall. 

The present invention allows a security administration The collection agents 12a-12n use system utilities and/or 

system 50 (conceptually shown in FIG. 2) to handle security APIs (Application Programming Interfaces) to extract from 

issues on a global basis by enabling personnel which are 65 the individual security domains 70a-70« specific data defin- 

responsible for it or automatic computer equipment to issue ing security information pertaining to the system users, 

common commands that are applicable to the various pieces passwords, security groups, and where applicable: 
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TABLE I 



DATABASE TABLES fTcchnology Independent) 



Table Name 



Column Name 



User accounts 



Privilege groups 



security domain type code 
security domain name 
user account id 
user account name 
user account last login date 
user account creation date 
user account created by id 
user account disabled 
user account name tokens 
user account ssn token 
user account department token 
user encrypted password 
security domain type code 
security domain name 
group name 



group name 

Privilege group members security domain type code 
security domain name 
group name 
user account id 

Security domains security domain type code 

security domain name 



security aomain name 
security domain minimum password lengtb 
security domain password requires alpha and 
num 

security domain password history count 



10 



15 



20 



permissions, access controllers, logon events, file access 
events, system management events, file attributes, software 
and hardware versions, password control parameters, system 
parameters and the like. The information they collect is 
passed to the collection agent abstraction layer or facility 74 
for further processing. 

The collection agent abstraction facility 74 comprises a 
rule-driven software facDity that rationalizes the data col- 
lected by the collection agents 12a-12n into standardized 
sets of data. This allows software modules which subse- 
quently handle the data to ignore platform specific 
differences, in a manner which enables fiirther processing of 
security data to be handled as source-independent informa- 
tion, lie collection agent abstraction faciUty 74 takes into 
account platform differences as well as other differences 
such as administrative conventions used at each specific 
security domain. It enhances the data by identifying account 
owners, thereby forming a link to personnel and organiza- 
tional information. This facility 74 is a key component of the 
solution because it allows auditors and security officers to 
view their many environments with a single tool, and a 
single, enhanced view of the data. 

The collection agent abstraction facifity 74 may run on 
one or more computers, as may be necessitated by system 
considerations. Furthenmore, more than one software pack- 
age may run on the same machine. The collection agent 
abstraction facility 74 may execute on the same machine and 
at the same time as other software (to be described) is 
running. 

The information developed and organized by the collec- 
tion agent abstraction facility 74 is stored in the database 76. 
This database 76 uses off-the-shelf software for storing and 
receiving collected data. In an embodiment of the invention 
which has been reduced to practice the database 76 has been 35 
implemented through the use of the well-know Sybase™ 
database engine. Data rationahzed by the collection agent 
abstraction facility 74 has been organized and stored in the 
embodiment that has been reduced to practice in the manner 
shown in the Table I below. 



TABLE I-continued 



DATABASE TABLES rTechnology [ndependent'> 



T^ble Name 



Column Name 



security domain password reuse count 
security domain password pre-expired indicator 
security domain failed login disable coimt 
security domain workstation disable indicator 
security domain legal notice indicator 
security domain operating system version 
security domain operating system type 



TABLE I 



DATABASE TABLES fTccbnology [ndepcndcnO 



Table Name 



Column Name 



25 



30 



40 



45 



security domain operatiag system patch number 
security domain hardware information 
Resource access security domain type code 

privileges security domain name 

user account id 
resource name 
resource type 
resource access privileges 
Monitored files security domam type code 

security domain name 
file name 
file creation data 
file created by 
file last updated date 
file last updated by 
file size 

file permissions 
file location 

security domain type code 
security domain name 
event code 
event date and time 
event user 

event success or foil indicator 
event file name 
event other information 
Security policies security policy minimum password length 

security policy password requires alpha and 
num 

security policy password history count 
security policy password reuse count 
security policy password pre-expiied indicator 



Audit events 



TABLE I 



50 



DATABASE TABLES rTechnoloEV IndcpcndenO 



T^blc Name 



Column Name 



55 



Baseline files 



User account 
maintenance 



65 Privilege groups 
maintenance 



security policy failed login disable count 

security policy workstation disable indicator 

security p>olicy legal notice indicator 

security domain type code 

file name 

file creation data 

file created by 

security domain type code 

security domain name 

user account id 

user account name 

user account disabled 

user account ssn token 

user account department token 

maintenance action code 

security domain type code 

security domain name 
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TABLE I-cx)Dtinued 

DATABASE TABLES (Technology IndependenQ 
■Rible Name Column Name 



group name 

maintenance action code (add. remove) 
Privilege group members security domain type code 
maintenance security domain name 

group name 

user account id 

maintenance action code (add. remove) 
Resource access security domain type code 

privileges 
maintenance 



TABLE I 

DATABASE TABLES fTcchnology Independent) 
Table Name Column Name 

security domain name 

user account id 

resource name 

resource type 

resource access privileges 

maintenance action code (add. remove, change) 



The database component 76 also includes graphical user 
interface (GUI) progranis that allow the system's adminis- 
trators to maintain "static" tables, such as the security policy 
and base file tables, as shown in Table I. 

Referring now to FIG. 36, note that the standardized 
information in the database 76 is accessible to several 
different software facilities identified as the compliance 
agent 78, the alert agent 80 and the query agent 82. 

The compliance agent software 78 is software that ana- 
lyzes collected data to determine if user and system data 
complies with security policy requirements. This component 
of the invention is another key component of the solution, 
which allows auditors and security oflBcers to automatically 
monitor the computer network security environments. In the 
prior art, security officers had to manually check the settings 
for each machine, LAN, domain, etc. The compliance agent 
78 produces exception reports identifying non-complying 
systems and users, and also passes its findings to a system 
component called the active agent 84 for further processing. 

The active agent 84 is software that determines whether 
and how to bring non-complying computer subsystems into 
compliance. To this end, the active agent 84 issues instruc- 
tions and commands to the maintenance agent abstraction 
layer or facility 90. Typical instructions are to disable user 
accoimts of terminated employees, disable accounts that 
have not been used recently, change server parameters to 
ensure adequate password rules and force users to change 
their non-compliant passwords at the next logon, when this 
is warranted. The active agent 84 can be suppressed for 
certain user accounts or certain ones of the security domains 
70a-70!rt, based on exception records stored in the database 
76. For example, administrator or supervisor accounts may 
be dormant for many months on a particular computer, but 
must not be disabled or deleted. The active agent 84, 
operating in conjunction with the compliance agent 78 
constitutes a self-policing, self-enforcing security system 
that operates automatically to keep the individual security 
domains 70a-70n in compliance with company security 
policies and regulations. 
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The logical flow and key software steps of the active agent 
comprise the self-explanatory steps 84a, S4b, 84c, S4d and 
84e shown in FIG. 4/. The interaction of the active agent 84 
with a data block 16d of the database 76, which contains 

5 exception parameters, and with other components of the 
invention is illustrated in FIG. 6c. 

Typical instructions of the active agent 84 includes such 
instructions as to disable user accounts of terminated 
employees, disable accounts that have not been used 

10 recently, change server parameters to ensure adequate pass- 
word rules and force users to change their non-compliant 
passwords at the next logon. The active agent 84 can be 
suppressed for certain user accounts or security domains, 
based on exception records stored in the database 76. 

Commands and instructions concerning security measures 
to be taken relative to the security domains lOa-lOn are also 
received by the maintenance agent abstraction facility 90 
from the manual maintenance agent 86. The manual main- 
tenance agent receives manual inputs 87 which are trans- 
lated into commands concerning security issues that are 
manually inputted by the administrator or security officer of 
the system of the present invention. 

The maintenance agent abstraction facility 90 is accord- 
ingly configured to received hardware and software inde- 
pendent instructions fi-om the active agent 84 and from the 
manual maintenance agent 86. It converts these instructions 
into general hardware and software instructions that pertains 
to the individual platforms, i.e. security domains 70a~70rt. 
More specifically, the maintenance agent abstraction facility 
90 passes the instructions and commands to the individual 
maintenance agents 92^z~92/i. Each of these maintenance 
agents 92a-92n communicates exclusively with a corre- 
sponding one of the security domains 70a-10n and is 
designed to convert the general hardware and software 
instructions to specific instructions that can be understood 
by the individual platforms, i.e. security domains 10a-7Qn, 
Since the data collection is standardized by the collection 
agent abstraction facility 74 and the issuance of instructions 
to the security domains 70fl-70n is also standardized in the 
maintenance agent abstraction facility 90, the invention 
obviates the need for separate local databases. This allows 
account maintenance to be done using any available tools 
such as native environment tools, or by the manual main- 
tenance agent 86 or the active agent 84 working in conjunc- 
tion with the compliance agent 78. 

Internally (FIG. 9Z?), the maintenance agent abstraction 
facility 90 receives incoming platform independent instruc- 
tions 93 (via the manual maintenance agent 86) and requests 

50 95 involving requests for changes and deletions (via the 
active agent 84). It then parses and validates these requests 
as shown at step 97. It converts the parsed requests into 
platform-specific requests as shown at steps 99a and 996 of 
FIG. 9b. It does this by consulting internal mapping tables 

55 91 which direct movement of data from the input fields to 
the output fields, i.e. from the general format security 
instruction protocol to the protocol that is more appropriate 
to the individual security domains. Finally, the maintenance 
agent abstraction facility commands the appropriate main- 

50 tenance agents 92a~92n to carry out the specific requests 
and/or commands. In this manner, one platform independent 
request might result in iterative execution of a single main- 
tenance agent function and/or the execution of multiple 
maintenance agent actions depending on the request. 

65 The maintenance agents 92a-92n comprise platform- 
specific software, so there are many different types of 
maintenance agents. This software invokes the security 
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processing of the native plalfoniis, i.e. of the security 
domain 70a-70/i, through commands or programming APIs, 
to accomplish the work passed from the active agent 84 and 
the manual maintenance agent 86 through the maintenance 
agent abstraction facility 90. The broadly described program 
steps 93fl, 93b and 93c are self-explanatorily depicted in 
FIG. 4i. 

The specific architectures of the various maintenance 
agents 92a-92n can take on different forms depending on the 
environment. For example, in the NetWare'^^ environment, 
the maintenance agent is a \%ual Basic'^" application that 
issues NetWare™ API calls to accomplish its work. In the 
Windows NT environment, the maintenance agent is also a 
Visual Basic"^" application, but uses the Win32 API. For 
Unix environments, the maintenance agent may be a C 
program that issues Unix commands and operates on the 
security files. In the RACF and ACF2 environments, the 
maintenance agents produce command files which are 
uploaded to the hosts and executed there. Since the main- 
tenance agent abstraction facility 90 has already prepared 
most of the protocol and command structure necessary to 
control the security domains 70a-10n, the maintenance 
agents 92a-92n are generally simpler programs. The overall 
flow diagram of the maintenance agents 90a-90/i includes 
steps 93a, 93b and 93c which are presented in FIG. 4L 

As described above, the system of the present invention 
constitutes a self -correcting data secmity audit system which 
operates both in an automatic mode and in response to 
specific inputs from the administrator or other security 30 
personnel through the manual maintenance facility 86. The 
invention automatically takes actions and changes system 
parameters or user parameters as necessary. The invention 
automatically, reliably and consistently captures all of the ^^^^^^^^ 
security data from all of the different platforms, consolidates 35 resource name 
the data and operates on it in accordance with a common resource type 
format and protocol It then acts on that information to 
control the system, again employing a common format that 
gets translated only at the last layer via the maintenance fyg name 
agents 92a-92n to fit the specific formats required by the 40 creation data 
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TABLE Il-continued 



10 



15 



20 



COLLECTION AGENT OUTPUT HELDS 


NetWare 


Field Name 


Unix 


NT 


user account created by id 






X 


user account disabled 


X 


X 


X 


user encrypted password 


X 


X 




SECURITY GROUP RELATED 








group name 


X 


X 


X 


group user accounts 


X 


X 


X 


SECURITY DOMAIN REL/OTD 








security domain type code 


X 


X 


X 


security domain name 


X 


X 


X 



TABLE II 



COLLECnON AGENT OUTPUT HELDS 



Field Name 



Unix NT NetWare 



25 



security domain minimum password length 
security domain password requires alpha and num 
security domain password history count 
security domain password reuse count 
security domain password p re-expired indicator 
security domain &iled login disable count 
security domain workstation disable indicator 
security domain legal notice indicator 
security domain operating system version 
security domain operating system type 
security domain operating system patch number 
security domain hardware information 
RESOURCE ACCESS RELATED 



resource access privileges 
FILE RELATED 



security domains 70fl-70/i. Additional functions and fea- 
tures of the aforementioned components of the system of the 
present invention are described in further detail with refer- 
ence to the remaining figiu^s. 

FIGS. 4a-4c provide three examples of procedures used 
in the collection agents 72a-lln by setting forth various 
process steps executed in those elements of the instant 
invention. More specifically, FIG. 4a shows the steps ISa, 
15b, 75c, 75d, 7Se, 75/, 75^, ISh, 75i, 7Sj and 75k for a Unix 



45 



file created by 
file last update date 
file last updated by 
file size 

file permissions 
file location 

AUDIT EVENT RELATED 



event code 
event date and time 
event user 

_ . event success or foil indicator 

controlled security domain. FIG. 4b shows steps 75/ through 50 event file name 
75/ for a Windows NT security domain and FIG, 4c the steps 
75u~75ab for a NetWare"^" environment. In this connection, 
Table II reproduced below shows the data that is collected by 
the collection agents 72a-72n and passed to the collection 
agent abstraction facility 74, via database 76. 



event other information 



55 



TABLE II 



COIXECnON AGENT OUTPUT HELDS 



Field Name 



Unix NT 



Net\Ware 



USER ACCOUNT RELATED 

user account id 
user account name 
user account last login date 
user account creation date 



For example, the collection agents arc able to extract and 
report to the collection agent abstraction facility the "user 
account ID" for the Unix, Windows NT and NetWare™ 
platforms. However, a field such as the "user account created 
by ID" can only be gathered finom the NetWare"™ platform. 
T^ble n further shows that the different data pieces can be 
grouped into different categories, for example, a group of 
60 data which is "user account" related and another which is 
"security group" related, etc, 

FIGS. 5a and 5b show, respectively, computer screens 
SSa, S5b provided to the system operator to enable the 
selection and control of collection activities and the entering 
65 of necessary parameters for the NetWare'''^ environment. 
Sample screens 85c, S5d for Window NT environments are 
shown in FIGS. 5c and 5d. 
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As previously noted, only information provided by the 
various collection agents JOa-lUn is provided to the collec- 
tion agent abstraction facility 74, which performs the major 
function steps identified in FIG. These steps include step 
100a involving scheduling the starting of the program at a 
designated time of day. This is followed by steps 100i>, 100c, 
lOOii, lOOe and 100/ which entail such functions as reading 
data from the particular collection agents, determine the type 
of envirotmient of the received data; mapping the data to a 
generic language using an appropriate map for the 
environment, sending the map data to the database 76 and 
repeating the above steps for the remaining collection 
agents. 

FIG. Ma is an example of source code or control state- 
ments for a parsing utility used as a part of the implemen- 
tation of the collection agent abstraction facility 74 for 
NetWare™ parsing. Its basic function is to rearrange and 
decipher platform-specific input fields into the common 
format. FIG. lib is an example of the beginning of a Perl 
script used to parse and reformat detailed Windows NT 
security log records into the standard internal format used 
for audit data. FIG, 11c is a continuation of the Perl script of 
FIG. lib. 

While Table II presented above shows the type of data that 
is input to the collection agent abstraction facility 74, Table 
III reproduced below shows the output data fields of the 
collection agent abstraction facility. 

TABLE III 



Collection Agent Abstraction Layer Output Field 
(technology independent) 

USER ACCOUNT RELATED 

security domain type code 

security domain name 

user accoual id 

user account name 

user account last login date 

user account creation date 

user account created by id 

user account disabled 

user account name tokens 

user account ssn token 

user account department token 

user encrypted password 

SECURITY GROUP RELATED 

security domain type code 

security domain name 

group name 

group user accounts 

SECURTTY DOMAIN RELATED 

security domain type code 
security domain name 
security domain minimum password length 
security domain password requires alpha and num 
security domain password history count 
security domain password reuse count 
security domain password prc-cxpiicd indicator 
security domain failed login disable ccnint 
security domain workstation disable indicator 
security domain legal notice indicator 
security domain operating system version 
security domain operating system type 
security domain operating system patch number 
security domain hardware information 
RESOURCE ACCESS REL/VTED 

security domain type code 
security domain name 
user account Id 
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TABLE Ill-continued 

Collection Agent Abstraction Layer Output Field 
(technology independent) 



resource name 
resource type 
resource access privileges 
FILE RELATED 

10 security domain type code 

security domain name 
file name 
file creation data 
file created by 
file last update date 

J 5 file last updated by 

file size 

file permissions 
file location 

AUDIT EVENT RELATED 

security domain type code 
security domain name 
event code 
event date and time 
event user 

event success or fail indicator 
event file name 
25 event other information 



The major enhancement to the collected data centers 
around decoding information that is normally placed in the 
30 name field of each user account record. Common practice is 
to include name and/or payroll number and/or organization 
code. The name is also split into "tokens" to allow searching 
and facilitate analysis of collected information. 
As shovvn in FIG. 6a, the database 76 stores data 76a 
35 obtained from the security domains 70fl-70/j which has been 
rationalized and reformatted by the collection agent abstrac- 
tion facility 74. It also holds policy data 76b which reflects 
the set of rules and regulations applicable to the security 
system which has been manually inputted by security per- 
40 sonnel as indicated by reference numeral 77 in FIG. 36 or 
pre -stored therein. The compliance agent 78 serves to review 
the reformatted data 76a and the pohcy data 76b and to 
compare the same. Whenever the collected data indicates 
non-compliance or less stringent compliance than standard 
45 policy requirements an exception is triggered and appropri- 
ate exception reports 79 are generated. Certain ones of the 
exception reports 79 may also be sent to the active agent 84 
as indicated by line 85, for further processing and action by 
the active agent. FIGS. 7a, 7b and 7c are examples of 
50 compliance agent reports, i.e. the exception reports 79. 
The following is a partial list of exception conditions: 
minimum password length is too short 
password life is longer than 90 days 
more than 3 failed logins are being allowed before an 

account is disabled 
concurrent logins are allowed 

account has not been used in 90 days and is not disabled 
account was used after employee termination date 

60 Certain conditions can be automatically fixed by the 
system. Unused accounts can be automatically disabled. 
Password length and life parameters can be changed. Id 
cases where automatic correction is desired, the compliance 
agent 78 sends instructions to the active agent 84 specifying 

65 what needs to be changed. The active agent 84 can then 
correct the exception condition by sending the appropriate 
instruction to the maintenance agent abstraction facility 90. 
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FIG. presents in a self-explanatory manner the key steps 
78fl, 78i), 78c, 78d and 78e that are carried out by the 
compliance agent 78. 

Referring again to FIG. 36, the alert agent 80 comprises 
software that analyzes collected data residing in the database 
76 to determine if unusual security activities have taken 
place. An example of such activity is an unusually large 
increase in the number of failed access attempts, repeated 
failed attempts from a single user or location, or modifica- 
tion of certain key security or operating system files within 
any one of the security domains 70a-70/i. The alert agent 80 
automatically notifies appropriate personnel by e-mail, 
phone and/or pager. This is indicated by the alarm arrow 81 
in FIG, 3b. The alert agent 80 is unique in that it is able to 
monitor across dissimilar environments, protecting against 
more sophisticated intrusion attacks that cannot be detected 
with previous generations of tools, which could only moni- 
tor one security domain at a time. The main sequence of 
program events taking place at the alert agent 80 are 



The manual maintenance agent software 86 (FIG. 3b) is 
a user interface software that allows maintenance to be done 
on any supported platform using a standard user interface, 
for example, a user interface that operates in accordance 
5 with the flow-chart of FIG. 9a. Such a user interface may 
comprise a search screen 86fl, a list of accounts screen 866, 
a single account detail screen 86c, an account updating 
screen 86^^ and such other screens as are necessary to 
provide full and efifective communication by users of the 
10 system. Differences between different platforms are handled 
behind the scenes by the maintenance agent abstraction 
facility 90 (FIG. 36) which receives instructions from the 
manual maintenance agent 86. 

As shown in FIG. 6e, the manual maintenance agent 
15 software 86 allows the user to query collected data and make 
changes based on manual/user inputs 87 which are conveyed 
to the maintenance agent abstraction facility 90. Complex 
queries are supported, such as the ability to reveal all 
accounts for a single user. Complex changes are also 



indicated in FIG. 4A. The logic of the alert agent 80 is shown 20 supported, including the ability to propagate a single change 



in FIG. 4h to include the major software steps 102a, 1026, 
102c, laid and 102e, which are self-explanatorily pre- 
sented. 

As further shown in FIG. 66, the database 76 also includes 
a threshold parameters data block 76c and the alert agent 80 25 
is responsive both to the security domain collected data 76a 
and to the threshold parameters 76c. The alert agent 80 scans 
the collected data looking mostly at an event audit table 
which has the general organization shown in FIG. Ha (in 



which server names and user IDs have been blanked out for 30 data are as follows: 



to multiple security domains 70a-10n. This is useful, for 
example, when a user's name changes, or when a new user 
is added to several environments and services. Changes are 
stored in separate database tables from the collected data. 

The manual maintenance agent 86 takes inputs from the 
user and converts them into platform independent security 
maintenance instructions which are then processed by the 
maintenance agent abstraction facility 90. Examples of 
platform independent security maintenance categories and 



security reasons). It counts failed login attempts and failed 
file accesses by user, domain, location, file name, computer 
name, etc. It reports exception conditions based on reaching 
thresholds that are kept in the database as parameters 76c. 
The alert agent 80 also reports on single critical events such 
as a change made to a key security control (e.g. the stopping 
of the logging or counting of failed logins), or deactivation 
or failure of a security component (for example clearing of 
a security log file). The alarm line 81 of FIG. 36 can result 
in the automatic placements of a phone call 81a or an e-mail 
message 816 or a pager message 81c as indicated in FIG. 66. 

The query agent 82 of FIG. 36 similarly interfaces with 
the database 76 and comprises an interface software that 
allows system users to access the database information. Both 
standard and ad-hoc queries are supported by the software 
implementation of the agent 82. The query agent 82 has been 
reduced to practice in a fonn that uses an Internet/Intranet 
technology, i.e. a web browser, to allow access with a 
minimum of connectivity and software distribution prob- 
lems. Any query tools that handles Sybase could be used 
in the implementation. The tool used in the embodiment that 
has been reduced to practice is SybperF". The flow logic of 
the query agent 82 is shown in FIG. 4g to include major 
software steps I04a, 1046, 104c, 104d and 104e, which are 
self-explanatorily presented. 

As shown in FIG. 6d, the query agent 82 supports queries 
on the following data objects: user accounts S2a, security 
groups 826, security domain reports 82c, operating system 
and security product reports S2d and standard audit/alert 
reports 82c. The foregoing queries on objects 82a through 
826 allow the user to select which data fields to report, sort 
order, and record selection criteria. 

In addition to customizable queries, the query agent 82 
also supports standard reports 82e, for example, accounts 



40 



45 



50 



AddUserAccount(id, platformList, name. Payroll 

Number, expense Code) 
RemoveUserAccount(id, platformList) 
AddUserAccountToGroup(id, platformList, GroupName) 
RemoveUscrAccountFromGroup(id, platformList, 

GroupName) 
ModifyUserAccountName(id, platformList, name) 
ModifyUserAccountPay(id, platformList, Pay) 
ModifyUserAccountExpenseCode(id, platformList, 

expenseCode) 
DisableUserAccount(id, platformList) 
FIG. 8c shows the screen used to designate how often data 
should be collected. FIG. Hd shows the screen used to 
designate the server from which data should be collected. 
FIG. Se shows the screen used to designate high risk 
appUcations. FIG. 8/ shows the screen used to designate the 
environment. FIG. Sg shows the screen used to designate 
high risk reports. FIG. Sh shows the screen used to designate 
event code mapping of native codes to the common system 
code. 

The mapping tables are generated from data entered by 
the user. FIG. 10 shows the input screen presented to the 
user. For a NetWare'^^ platform, the data provided by the 
user would be placed into two field in the following format: 

ID«ID 

Name -Name +/+Dept+/+Pay. 
For an NT platform, the same data would be placed in 
different fields as: 

Name«Name 

Extra Info-Dept+Pay. 

Although the present invention has been described in 
relation to particular embodiments thereof, many other 



used after an employee is terminated and a report of users of 65 variations and modifications and other uses will become 
"high risk apphcations". A typical standard report from the apparent to those skilled in the art, such as the functional 
query agent 82 is shown in FIG. 86. split between collection agents 12a-12n and the collection 
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agent absiraclioo layer or facility 74, and between the 
individual oaaintenance agents 92a-92n and the mainte- 
nance agent abstraction layer or facility 90. It is preferred, 
therefore, that the present invention be limited not by the 
specific disclosure herein, but only by the appended claims. 
What is claimed is: 

1. A centralized security system for a computer network 
comprising a plurality of discrete computer subsystems, 
each subsystem having a discrete security domain associated 
therewith, the centralized security system comprising: 

a plurality of collection agents, each agent being opera- 
tively coupled with a respective one of said discrete 
security domains for coUecting differently presented 
security-related data of said security domains; 

a collection agent abstraction facility coupled to said 
collection agents and effective for transforming the 
differently presented security -related data into a 
common-format security data which has a format com- 
mon across said security domains; 

a database for storing said common-format security data 
from the colleaion agent abstraction facility, the data- 
base being comprised of a standardized, off-the-shelf 
database software program; 

a security controlling facility for examining the security 
data stored in the database, for ensuring diat the secu- 
rity related data in the database indicates that the 
security domains are in compliance with pre- 
determined security regulations and for issuing security 
related common-format commands effective for cor- 
recting computer security breach conditions; and 

a security maintenance software facility for receiving the 
common format commands and translating them into 
specific commands that are specific to and understand- 
able by the various security domains. 

2. The computer security system of claim 1, in which the 
security controlling facility includes a maintenance agent 
abstraction facility for producing the common-format com- 
mands. 

3. The computer security system of claim 2, in which the 
security maintenance software facility includes a plurality of 
maintenance agents coupled to the maintenance agent 
abstraction facility, each maintenance agent being config- 
ured to communicate and provide the specific commands to 
a specific one of said security domains with which it is 
associated. 

4. The computer security system of claim 2, in which the 
security controlling facility includes means for parsing and 
validating incoming data. 

5. The computer security system of claim 2, in which the 
security controlling facihty includes means for consulting 
mapping tables which convert incoming data to said 
common-format commands. 

6. The computer security system of claim 1, in which the 
security controlling facility comprises a compliance facility 
coupled to and communicating with the database for ana- 
lyzing the data in the database and for determining that 
individual ones of the security domains are out of compli- 
ance with the security regulations, when warranted. 

7. The computer security system of claim 6, further 
comprising an active agent coupled to the compliance facil- 
ity for formulating specific corrective actions needed to 
correct said computer security breach conditions. 

8. The computer security system of claim 7, further 
comprising an alert agent coupled to the database for com- 
municating said computer security breach conditions to 
personnel responsible for security. 
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9. The computer security system of claim 8, further 
including a manual maintenance agent coupled to the secu- 
rity controlling facility for providing manual control over 
the security controlling facility. 
5 10. The computer security system of claim 9, in which the 
seciuity manual maintenance agent includes means for con- 
ducting searches of user accounts. 

11. The computer security system of claim 8, further 
comprising a query agent coupled to the security controlling 

10 facility for enabling personnel to obtain specific information 
concerning security conditions within the computer net- 
work. 

12. The computer security system of claim 11, in which 
the query agent includes means for generating security 

15 group reports. 

13. The computer security system of claim 11, in which 
the query agent includes means for generating operating 
system and security product reports. 

14. The computer security system of claim 8, in which the 
20 alert agent comprises means for communicating with per- 
sonnel via communication links selected from the group 
including telephones, e-mail and pagers. 

15. The computer security system of claim 1, wherein the 
security domains are comprised of different software oper- 

25 ating systems. 

16. The computer security system of claim 1, further 
comprising a facility for generating exception reports 
describing deviations from the security regulations. 

17. The computer security system of claim 1, in which the 
30 database comprises security-policy data. 

18. The computer security system of claim 1, in which the 
database comprises threshold parameters which define situ- 
ations triggering alarm conditions. 

19. The computer security system of claim 1, in which 
35 each one of the security domains associated with an entire 

network of an organization is cormected to a respective one 
of said collection agents. 

20. A method of centrally controlling security in a com- 
puter network comprising a plurality of discrete computer 

40 subsystems each having a discrete security domain associ- 
ated therewith, the method comprising the steps of: 

separately collecting from each of the security domains 
security -related data associated with each security 
domain, wherein each security-related data is uniquely 
45 presented; 

supplying the security-related data collected from the 
security domains to a collection agent abstraction facil- 
ity and deploying the collection agent abstraction facil- 
ity to transform the separately collected security- 
related data into a common-format security data, said 
transformation of the separately collected security- 
related data including the steps of: 
mapping the data collected from a single security 
domain to a generic language using a predetermined 
map for the environment; and 
sending the mapped data to a database; 
storing the common-format security data in the database; 
analyzing the common-format security-related data for 
discerning in the data out-of-compliance conditions in 
specific ones of said security domains by comparing the 
data with predetermined security regulations; 
issuing common- form at security-related commands effec- 
tive for controlling security at the individual security 
55 domains; 

converting the common-format security-related com- 
mands to a plurality of specific security commands 
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which are configured to be understood by correspond- 
ing ones of said security domains; and 
repeating the above -steps for remaining ones of said 
security domains. 

21. The method of claim 20, including converting the ^ 
common-format security-related commands to at least one 
specific command which results in iterative execution of a 
single maintenance agent function. 

22. The method of claim 20, in which the out-of- 
compliancc conditions include one or more of the following 
conditions: 

a) an unusually large increase in the number of failed 
access attempts; 

b) repeated failed attempts from a single user or location; 

c) attempted modification of predetermined key security 
regulations; 

d) minimum password length is less than a predetermined 
number of characters; 

e) password life is longer than 90 days; 

f) more than three failed logins not being disallowed 
before an account is disabled; 

g) concurrent logins are allowed; 

h) account has not been used in 90 days and has not been 25 
disabled; and 

i) account was used after employee termination date. 

23. The method of claim 20, including storing in the 
database threshold parameters for triggering alarm condi- 
tions which require the alerting of security personnel. 30 

24. The method of claim 20, including controlling how 
often security-related data is collected from each of the 
security domains. 

25. The method of claim 20, including providing an 
operator controlled field which can be used to designate 35 
from which one of said security domains security-related 
data is to be collected. 

26. The method of claim 20, in which the step of sepa- 
rately collecting the security-related data from the security 
domains comprises providing a plurality of collection 40 
agents, each agent being operatively coupled with a respec- 
tive one of said discrete security domains for collecting 
differently presented security-related data of said security 
domains. 

27. The method of claim 20, in which the step of con- 45 
verting the common-format security-related commands to 
specific security commands comprises using a plurality of 
maintenance agents coupled to a maintenance agent abstrac- 
tion facility, wherein each maintenance agent is configured 



ity to transform ihe separately collected security- 
related data into a common-format security data; 

storing the common-format security data in a database; 

analyzing the common-format security-related data for 
discerning in the data out-of-compliance conditions in 
specific ones of said security domains by comparing the 
data with predetermined security regulations; 

issuing common-format security-related commands effec- 
tive for controlling security at the individual security 
domains; and 

converting the common-format security-related com- 
mands to a plurality of specific security commands 
which are configured to be understood by correspond- 
ing ones of said security domains, the plurality of 
specific security commands including a specific com- 
mand which results in the execution of multiple main- 
tenance agent actions. 

29. The method of claim 28, in which the out-of- 
comphance conditions include one or more of the following 
conditions: 

a) an unusually large increase in the number of failed 
access attempts; 

b) repeated failed attempts from a single user or location; 

c) attempted modification of predetermined key security 
regulations; 

d) minimum password length is less than a predetermined 
number of characters; 

e) password life is longer than 90 days; 

f) more than three failed logins not being disallowed 
before an account is disabled; 

g) concurrent logins are allowed; 

h) account has not been used in 90 days and has not been 
disabled; and 

i) account was used after employee termination date. 

30. The method of claim 28, including storing in the 
database thre^old parameters for triggering alarm condi- 
tions which require the alerting of security personnel. 

31. The method of claim 28, including controlling how 
often security-related data is collected from each of the 
security domains. 

32. The method of claim 28, including providing an 
operator controlled field which can be used to designate 
from which one of said security domains security-related 
data is to be collected. 

33. The method of claim 28, in which the step of sepa- 
rately collecting the security-related data from the security 
domains comprises providing a plurality of collection 



to communicate and provide the specific security commands 50 agents, each agent being operatively coupled with a respec 



to a specific one of said security domains with which it is 
associated. 

28. A method of centrally controlling security in a com- 
puter network comprising a plurality of discrete computer 
subsystems each having a discrete security domain associ- 
ated therewith, the method comprising the steps of: 

separately collecting fi^om each of the security domains 
security-related data associated with each security 
domain, wherein each security -related data is uniquely 
presented; 

supplying the security-related data collected from the 
security domains to a collection agent abstraction facil- 
ity and deploying the collection agent abstraction facil- 
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tive one of said discrete security domains for collecting 
differently presented security-related data of said security 
domains. 

34. The method of claim 28, in which the step of con- 
verting the common-format security-related commands to 
specific security commands comprises using a plurality of 
maintenance agents coupled to a maintenance agent abstrac- 
tion facility, wherein each maintenance agent is configxured 
to communicate and provide the specific security commands 
to a specific one of said security domains with which it is 
associated. 
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